[Swan-dev] ipsecme-split-dns

Antony Antony antony at phenome.org
Wed Dec 13 17:33:59 UTC 2017


may be too late to apply a revert.
the code diverged now, since my last e-mail, with 8b7a22dd82a836

If you apply now, you may have to revert 8b7a22dd82a836 too.

-antony

On Wed, Dec 13, 2017 at 06:22:01PM +0100, Antony Antony wrote:
> On Wed, Dec 13, 2017 at 11:47:03AM -0500, Paul Wouters wrote:
> > On Wed, 13 Dec 2017, Antony Antony wrote:
> > 
> > > I wonder why not revert the accident first? and comeback when you mean to.
> > > that is my preference. Then there is a clear path, accident revert!
> > 
> > Can you undo a merge commit atomically? the man page isn't looking
> > promising: 
> 
> not automatically! not using single command either. However, creating a diff 
> and applying it soon after the accident seems easy to do. As there are more 
> commits on the top single patch may get harder.
> 
> Here is one patch that revert everything that came through the merge.
> A functional revert is easy, just one diff for the entire merge.
> 
> A side effect is individual commits will not have a corresponding revert
> and the future merge... you have create them again from the master.
> 
> > And /usr/share/doc/git-1.8.3.1/howto/revert-a-faulty-merge.txt makes it
> > look even less of a good idea to revert the merge?
> 
> what do you think one patch idea? 
> 
> -antony

> From b4afd19f13cf33bda929c8d33200c7975fb5d4a4 Mon Sep 17 00:00:00 2001
> From: Antony Antony <antony at phenome.org>
> Date: Wed, 13 Dec 2017 18:05:02 +0100
> Subject: [PATCH] Reverts 2b7ad4446c350cd0245b3bbc73980a7a4ee6ef6e
> 
> Merge branch 'ipsecme-split-dns'
> ---
>  include/ietf_constants.h        |  4 +-
>  include/ipsecconf/confread.h    |  2 -
>  include/ipsecconf/keywords.h    |  2 -
>  include/whack.h                 |  2 -
>  lib/libipsecconf/confread.c     |  6 ---
>  lib/libipsecconf/keywords.c     |  3 --
>  lib/libipsecconf/starterwhack.c |  5 ---
>  lib/libswan/constants.c         |  7 +---
>  lib/libwhack/whacklib.c         |  4 --
>  programs/pluto/connections.c    | 13 ------
>  programs/pluto/connections.h    |  2 -
>  programs/pluto/ikev2.h          |  2 +-
>  programs/pluto/ikev2_child.c    | 89 +++++++++++------------------------------
>  programs/pluto/ikev2_parent.c   | 72 +++++----------------------------
>  programs/pluto/state.h          |  1 -
>  programs/whack/whack.c          | 18 ---------
>  16 files changed, 38 insertions(+), 194 deletions(-)
> 
> diff --git a/include/ietf_constants.h b/include/ietf_constants.h
> index 3979f09df..e6092e9aa 100644
> --- a/include/ietf_constants.h
> +++ b/include/ietf_constants.h
> @@ -1206,9 +1206,7 @@ enum ikev2_cp_attribute_type {
>  	IKEv2_P_CSCF_IP6_ADDRESS = 21,
>  	IKEv2_FTT_KAT = 22,
>  	IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
> -	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
> -	IKEv2_INTERNAL_DNS_DOMAIN = 25,
> -	/* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
> +	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24
>  };
>  
>  
> diff --git a/include/ipsecconf/confread.h b/include/ipsecconf/confread.h
> index 049a5cecc..85d11c143 100644
> --- a/include/ipsecconf/confread.h
> +++ b/include/ipsecconf/confread.h
> @@ -109,8 +109,6 @@ struct starter_conn {
>  	char *modecfg_dns2;
>  	char *modecfg_domain;
>  	char *modecfg_banner;
> -	char *internal_domain1;
> -	char *internal_domain2;
>  	char *policy_label;
>  	char *conn_mark_both;
>  	char *conn_mark_in;
> diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
> index 99f44f055..758701aff 100644
> --- a/include/ipsecconf/keywords.h
> +++ b/include/ipsecconf/keywords.h
> @@ -196,8 +196,6 @@ enum keyword_string_conn_field {
>  	KSCF_MODECFGDNS1,
>  	KSCF_MODECFGDNS2,
>  	KSCF_MODECFGDOMAIN,
> -	KSCF_INTERNALDOMAIN1,
> -	KSCF_INTERNALDOMAIN2,
>  	KSCF_MODECFGBANNER,
>  	KSCF_IKE,
>  	KSCF_ESP,
> diff --git a/include/whack.h b/include/whack.h
> index c8eb98475..91c8fd244 100644
> --- a/include/whack.h
> +++ b/include/whack.h
> @@ -305,8 +305,6 @@ struct whack_message {
>  	ip_address modecfg_dns2;
>  	char *modecfg_domain;
>  	char *modecfg_banner;
> -	char *internal_domain1;
> -	char *internal_domain2;
>  
>  	char *conn_mark_both;
>  	char *conn_mark_in;
> diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
> index cd7bd5004..5527ea0c3 100644
> --- a/lib/libipsecconf/confread.c
> +++ b/lib/libipsecconf/confread.c
> @@ -1238,8 +1238,6 @@ static bool load_conn(
>  	str_to_conn(modecfg_dns1, KSCF_MODECFGDNS1);
>  	str_to_conn(modecfg_dns2, KSCF_MODECFGDNS2);
>  	str_to_conn(modecfg_domain, KSCF_MODECFGDOMAIN);
> -	str_to_conn(internal_domain1, KSCF_INTERNALDOMAIN1);
> -	str_to_conn(internal_domain2, KSCF_INTERNALDOMAIN2);
>  	str_to_conn(modecfg_banner, KSCF_MODECFGBANNER);
>  
>  	str_to_conn(conn_mark_both, KSCF_CONN_MARK_BOTH);
> @@ -1411,8 +1409,6 @@ static void conn_default(struct starter_conn *conn,
>  
>  	conn->modecfg_dns1 = clone_str(def->modecfg_dns1, "conn default dns1");
>  	conn->modecfg_dns2 = clone_str(def->modecfg_dns2, "conn default dns2");
> -	conn->internal_domain1 = clone_str(def->internal_domain1, "conn default internal-domain1");
> -	conn->internal_domain2 = clone_str(def->internal_domain2, "conn default internal-domain2");
>  	conn->modecfg_domain = clone_str(def->modecfg_domain, "conn default domain");
>  	conn->modecfg_banner = clone_str(def->modecfg_banner, "conn default banner");
>  	conn->conn_mark_both = clone_str(def->conn_mark_both, "conn default conn_mark_both");
> @@ -1570,8 +1566,6 @@ static void confread_free_conn(struct starter_conn *conn)
>  
>  	pfreeany(conn->modecfg_dns1);
>  	pfreeany(conn->modecfg_dns2);
> -	pfreeany(conn->internal_domain1);
> -	pfreeany(conn->internal_domain2);
>  
>  	pfreeany(conn->left.virt);
>  	pfreeany(conn->right.virt);
> diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
> index a9cd32707..ff869f128 100644
> --- a/lib/libipsecconf/keywords.c
> +++ b/lib/libipsecconf/keywords.c
> @@ -587,9 +587,6 @@ const struct keyword_def ipsec_conf_keywords[] = {
>    { "modecfgdns1",  kv_conn,  kt_string,  KSCF_MODECFGDNS1, NULL, NULL, },
>    { "modecfgdns2",  kv_conn,  kt_string,  KSCF_MODECFGDNS2, NULL, NULL, },
>  
> -  { "internaldomain1",  kv_conn,  kt_string,  KSCF_INTERNALDOMAIN1,  NULL, NULL },
> -  { "internaldomain2",  kv_conn,  kt_string,  KSCF_INTERNALDOMAIN2,  NULL, NULL },
> -
>    { "modecfgdomain",  kv_conn,  kt_string,  KSCF_MODECFGDOMAIN, NULL, NULL, },
>    { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
>    { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
> diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
> index d019a63da..5fd002eff 100644
> --- a/lib/libipsecconf/starterwhack.c
> +++ b/lib/libipsecconf/starterwhack.c
> @@ -672,9 +672,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
>  	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s",
>  		conn->name, msg.modecfg_banner);
>  
> -	msg.internal_domain1 = conn->internal_domain1;
> -	msg.internal_domain2 = conn->internal_domain2;
> -
>  	msg.conn_mark_both = conn->conn_mark_both;
>  	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s",
>  		conn->name, msg.conn_mark_both);
> @@ -715,8 +712,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
>  				"Ignoring modecfgdns2= entry, it is not a valid IPv4 or IPv6 address");
>  	}
>  
> -	/* add sanity check for internal_dns / internal_domain */
> -
>  	set_whack_end("left",  &msg.left, &conn->left);
>  	set_whack_end("right", &msg.right, &conn->right);
>  
> diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
> index d98979b7b..118bdcae4 100644
> --- a/lib/libswan/constants.c
> +++ b/lib/libswan/constants.c
> @@ -1362,15 +1362,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
>  	"IKEv2_P_CSCF_IP6_ADDRESS",
>  	"IKEv2_FTT_KAT",
>  	"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
> -	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
> -	"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-pauly-ipsecme-split-dns-01 */
> -	/* "IKEv2_INTERNAL_DNSSEC_TA", expected draft-pauly-ipsecme-split-dns-01 */
> +	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK" /* 3gpp */
>  };
>  
>  enum_names ikev2_cp_attribute_type_names = {
>  	IKEv2_CP_ATTR_RESERVED,
> -	/* IKEv2_INTERNAL_DNSSEC_TA, */
> -	IKEv2_INTERNAL_DNS_DOMAIN,
> +	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK,
>  	ARRAY_REF(ikev2_cp_attribute_type_name),
>  	NULL, /* prefix */
>  	NULL
> diff --git a/lib/libwhack/whacklib.c b/lib/libwhack/whacklib.c
> index 1974772ca..70205afe4 100644
> --- a/lib/libwhack/whacklib.c
> +++ b/lib/libwhack/whacklib.c
> @@ -134,8 +134,6 @@ err_t pack_whack_msg(struct whackpacker *wp)
>  	    !pack_str(wp, &wp->msg->conn_mark_in) ||		/* string 31 */
>  	    !pack_str(wp, &wp->msg->conn_mark_out) ||		/* string 32 */
>  	    !pack_str(wp, &wp->msg->vti_iface) ||		/* string 33 */
> -	    !pack_str(wp, &wp->msg->internal_domain1) ||                          /* string 34 */
> -	    !pack_str(wp, &wp->msg->internal_domain2) ||                          /* string 35 */
>  	    !pack_str(wp, &wp->msg->remote_host) ||		/* string 33 */
>  	    wp->str_roof - wp->str_next < (ptrdiff_t)wp->msg->keyval.len)	/* key */
>  	{
> @@ -204,8 +202,6 @@ err_t unpack_whack_msg(struct whackpacker *wp)
>  	    !unpack_str(wp, &wp->msg->conn_mark_in) ||		/* string 31 */
>  	    !unpack_str(wp, &wp->msg->conn_mark_out) ||		/* string 32 */
>  	    !unpack_str(wp, &wp->msg->vti_iface) ||		/* string 33 */
> -	    !unpack_str(wp, &wp->msg->internal_domain1) ||      /* string 34 */
> -	    !unpack_str(wp, &wp->msg->internal_domain2) ||      /* string 35 */
>  	    !unpack_str(wp, &wp->msg->remote_host) ||		/* string 33 */
>  	    wp->str_roof - wp->str_next != (ptrdiff_t)wp->msg->keyval.len)
>  	{
> diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
> index 6d8e6fa4f..e0d8d798c 100644
> --- a/programs/pluto/connections.c
> +++ b/programs/pluto/connections.c
> @@ -790,10 +790,6 @@ static void unshare_connection(struct connection *c)
>  				"connection cisco_dns_info");
>  	c->modecfg_domain = clone_str(c->modecfg_domain,
>  				"connection modecfg_domain");
> -	c->internal_domain1 = clone_str(c->internal_domain1,
> -				"connection internal domain1");
> -	c->internal_domain2 = clone_str(c->internal_domain2,
> -				"connection internal domain1");
>  	c->modecfg_banner = clone_str(c->modecfg_banner,
>  				"connection modecfg_banner");
>  #ifdef HAVE_LABELED_IPSEC
> @@ -1666,8 +1662,6 @@ void add_connection(const struct whack_message *wm)
>  
>  		c->modecfg_dns1 = wm->modecfg_dns1;
>  		c->modecfg_dns2 = wm->modecfg_dns2;
> -		c->internal_domain1 = wm->internal_domain1;
> -		c->internal_domain2 = wm->internal_domain2;
>  		c->modecfg_domain = wm->modecfg_domain;
>  		c->modecfg_banner = wm->modecfg_banner;
>  
> @@ -4046,13 +4040,6 @@ static void show_one_sr(const struct connection *c,
>  
>  #undef COMBO
>  
> -	whack_log(RC_COMMENT,
> -		"\"%s\"%s:   internal domain1:%s, domain2:%s;",
> -		c->name, instance,
> -		c->internal_domain1,
> -		c->internal_domain2
> -		);
> -
>  	if (c->modecfg_banner != NULL) {
>  		whack_log(RC_COMMENT, "\"%s\"%s: banner:%s;",
>  		c->name, instance, c->modecfg_banner);
> diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
> index 1b75ec3f3..88aa5a2c0 100644
> --- a/programs/pluto/connections.h
> +++ b/programs/pluto/connections.h
> @@ -332,8 +332,6 @@ struct connection {
>  	char *cisco_dns_info; /* scratchpad for writing IP addresses */
>  	char *modecfg_domain;
>  	char *modecfg_banner;
> -	char *internal_domain1;
> -	char *internal_domain2;
>  
>  	u_int8_t metric;	/* metric for tunnel routes */
>  	u_int16_t connmtu;	/* mtu for tunnel routes */
> diff --git a/programs/pluto/ikev2.h b/programs/pluto/ikev2.h
> index 489123841..2961593c8 100644
> --- a/programs/pluto/ikev2.h
> +++ b/programs/pluto/ikev2.h
> @@ -248,7 +248,7 @@ extern bool ship_v2N(enum next_payload_types_ikev2 np,
>  extern deltatime_t ikev2_replace_delay(struct state *st, enum event_type *pkind,
>  				       enum original_role role);
>  
> -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
>  		pb_stream *outpbs);
>  
>  bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st);
> diff --git a/programs/pluto/ikev2_child.c b/programs/pluto/ikev2_child.c
> index 8b994c901..6934cae70 100644
> --- a/programs/pluto/ikev2_child.c
> +++ b/programs/pluto/ikev2_child.c
> @@ -1002,7 +1002,7 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
>  	if (c->spd.that.has_lease &&
>  			md->chain[ISAKMP_NEXT_v2CP] != NULL &&
>  			cst->st_state != STATE_V2_REKEY_IKE_R) {
> -		ikev2_send_cp(pst, ISAKMP_NEXT_v2SA, outpbs);
> +		ikev2_send_cp(c, ISAKMP_NEXT_v2SA, outpbs);
>  	} else if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
>  		DBG(DBG_CONTROL, DBG_log("#%lu %s ignoring unexpected v2CP payload",
>  					cst->st_serialno,
> @@ -1182,17 +1182,15 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
>  	return STF_OK;
>  }
>  
> -static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
> +static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st)
>  {
>  	ip_address ip;
>  	char ip_str[ADDRTOT_BUF];
>  	struct connection *c = st->st_connection;
> -	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
> -	bool responder = (st->st_state != STATE_PARENT_I2);
> +	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
>  
> -	if ((ugh != NULL && st->st_state == STATE_PARENT_I2)) {
> -		libreswan_log("ERROR INTERNAL_IP%s_DNS malformed: %s",
> -			af == AF_INET ? "4" : "6", ugh);
> +	if (ugh != NULL) {
> +		libreswan_log("ERROR INTERNAL_IP4_DNS malformed: %s", ugh);
>  		return FALSE;
>  	}
>  
> @@ -1206,15 +1204,6 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
>  	libreswan_log("received INTERNAL_IP4_DNS %s",
>  			ip_str);
>  
> -	if (c->policy & POLICY_OPPORTUNISTIC) {
> -		libreswan_log("ignored INTERNAL_IP4_DNS CP payload for Opportunistic IPsec");
> -		return TRUE;
> -	}
> -	if (responder) {
> -		libreswan_log("responder INTERNAL_IP4_DNS CP ignored");
> -		return TRUE;
> -	}
> -
>  	char *old = c->cisco_dns_info;
>  
>  	if (old == NULL) {
> @@ -1238,30 +1227,27 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
>  	return TRUE;
>  }
>  
> -static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
> +static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st)
>  {
>  	ip_address ip;
>  	ipstr_buf ip_str;
>  	struct connection *c = st->st_connection;
> -	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
> -	bool responder = st->st_state != STATE_PARENT_I2;
> +	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
>  
> -	if ((ugh != NULL && st->st_state == STATE_PARENT_I2) || isanyaddr(&ip)) {
> -		libreswan_log("ERROR INTERNAL_IP%s_ADDRESS malformed: %s",
> -			af == AF_INET ? "4" : "6",
> -			ugh == NULL ? ipstr(&ip, &ip_str) : ugh);
> +	if (ugh != NULL) {
> +		libreswan_log("ERROR INTERNAL_IP4_ADDRESS malformed: %s", ugh);
>  		return FALSE;
>  	}
>  
> -	libreswan_log("received INTERNAL_IP%s_ADDRESS %s",
> -			af == AF_INET ? "4" : "6",
> -			 ipstr(&ip, &ip_str));
> -
> -	if (responder) {
> -		libreswan_log("responder CP ignored");
> -		return TRUE;
> +	if (isanyaddr(&ip)) {
> +		libreswan_log("ERROR INTERNAL_IP4_ADDRESS %s is invalid",
> +			ipstr(&ip, &ip_str));
> +		return FALSE;
>  	}
>  
> +	libreswan_log("received INTERNAL_IP4_ADDRESS %s",
> +			ipstr(&ip, &ip_str));
> +
>  	c->spd.this.has_client = TRUE;
>  	c->spd.this.has_internal_address = TRUE;
>  
> @@ -1271,16 +1257,12 @@ static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
>  		if (sameaddr(&c->spd.this.client.addr, &ip)) {
>  			/* The address we received is same as this side
>  			 * should we also check the host_srcip */
> -			DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP%s_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
> +			DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP4_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
>  				st->st_serialno, c->name, c->instance_serial,
> -				af == AF_INET ? "4" : "6",
>  				ipstr(&ip, &ip_str)));
>  		} else {
>  			c->spd.this.client.addr = ip;
> -			if (af == AF_INET)
> -				c->spd.this.client.maskbits = 32;
> -			else
> -				c->spd.this.client.maskbits = 128;
> +			c->spd.this.client.maskbits = 32;
>  			st->st_ts_this = ikev2_end_to_ts(&c->spd.this);
>  			c->spd.this.has_cat = TRUE; /* create iptable entry */
>  		}
> @@ -1308,17 +1290,11 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
>  	DBG(DBG_CONTROLMORE, DBG_log("#%lu %s[%lu] parsing ISAKMP_NEXT_v2CP payload",
>  				st->st_serialno, c->name, c->instance_serial));
>  
> -	if (st->st_state == STATE_PARENT_I2 && cp->isacp_type !=  IKEv2_CP_CFG_REPLY) {
> +	if (cp->isacp_type !=  IKEv2_CP_CFG_REPLY) {
>  		loglog(RC_LOG_SERIOUS, "ERROR expected IKEv2_CP_CFG_REPLY got a %s",
>  			enum_name(&ikev2_cp_type_names,cp->isacp_type));
>  		return FALSE;
>  	}
> -	if (st->st_state == STATE_PARENT_R1 && cp->isacp_type !=  IKEv2_CP_CFG_REQUEST) {
> -		libreswan_log("ERROR expected IKEv2_CP_CFG_REQUEST got a %s",
> -			enum_name(&ikev2_cp_type_names,cp->isacp_type));
> -		return FALSE;
> -	}
> -
>  	while (pbs_left(attrs) > 0) {
>  		struct ikev2_cp_attribute cp_a;
>  		pb_stream cp_a_pbs;
> @@ -1330,38 +1306,19 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
>  		}
>  
>  		switch (cp_a.type) {
> -		case IKEv2_INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
> -			if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET)) {
> +		case INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
> +			if (!ikev2_set_ia(&cp_a_pbs, st)) {
>  				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_ADDRESS attribute");
>  				return FALSE;
>  			}
>  			break;
>  
> -		case IKEv2_INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
> -			if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET)) {
> +		case INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
> +			if (!ikev2_set_dns(&cp_a_pbs, st)) {
>  				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_DNS attribute");
>  				return FALSE;
>  			}
>  			break;
> -
> -		case IKEv2_INTERNAL_IP6_ADDRESS | ISAKMP_ATTR_AF_TLV:
> -			if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET6)) {
> -				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_ADDRESS attribute");
> -				return FALSE;
> -			}
> -			break;
> -
> -		case IKEv2_INTERNAL_IP6_DNS | ISAKMP_ATTR_AF_TLV:
> -			if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET6)) {
> -				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_DNS attribute");
> -				return FALSE;
> -			}
> -			break;
> -		case IKEv2_INTERNAL_DNS_DOMAIN | ISAKMP_ATTR_AF_TLV:
> -			/* ignore their values for now - just note support */
> -			libreswan_log("received INTERNAL_DNS_DOMAIN (content ignored)");
> -			st->st_seen_internal_domain = TRUE;
> -			break;
>  		default:
>  			libreswan_log("unknown attribute %s length %u",
>  				enum_name(&ikev2_cp_attribute_type_names,
> diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
> index d5da8e904..d9031bf5e 100644
> --- a/programs/pluto/ikev2_parent.c
> +++ b/programs/pluto/ikev2_parent.c
> @@ -2639,37 +2639,11 @@ static stf_status ikev2_ship_cp_attr_ip4(u_int16_t type, ip_address *ip4,
>  	return STF_OK;
>  }
>  
> -static stf_status ikev2_ship_cp_attr_str(u_int16_t type, char *str,
> -		const char *story, pb_stream *outpbs)
> -{
> -	struct ikev2_cp_attribute attr;
> -	pb_stream a_pbs;
> -
> -	attr.type = type;
> -	if (str == NULL)
> -		attr.len = 0;
> -	else
> -		attr.len = strlen(str);
> -
> -	if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs,
> -				&a_pbs))
> -		return STF_INTERNAL_ERROR;
> -
> -	if (attr.len > 0) {
> -		if (!out_raw(str, attr.len, &a_pbs, story))
> -			return STF_INTERNAL_ERROR;
> -	}
> -
> -	close_output_pbs(&a_pbs);
> -	return STF_OK;
> -}
> -
> -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
>  				  pb_stream *outpbs)
>  {
>  	struct ikev2_cp cp;
>  	pb_stream cp_pbs;
> -	struct connection *c = st->st_connection;
>  	bool cfg_reply = c->spd.that.has_lease;
>  
>  	DBG(DBG_CONTROLMORE, DBG_log("Send Configuration Payload %s ",
> @@ -2682,11 +2656,11 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
>  	if (!out_struct(&cp, &ikev2_cp_desc, outpbs, &cp_pbs))
>  		return STF_INTERNAL_ERROR;
>  
> -	if (cfg_reply) {
> -		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> -			&c->spd.that.client.addr,
> +	ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> +			cfg_reply ? &c->spd.that.client.addr : NULL,
>  			"IPV4 Address", &cp_pbs);
>  
> +	if (cfg_reply) {
>  		if (!isanyaddr(&c->modecfg_dns1)) {
>  			ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, &c->modecfg_dns1,
>  					"DNS 1", &cp_pbs);
> @@ -2696,19 +2670,9 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
>  					"DNS 2", &cp_pbs);
>  		}
>  	} else {
> -		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> -			 NULL, "IPV4 Address", &cp_pbs);
>  		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, NULL, "DNS", &cp_pbs);
>  	}
>  
> -	if (st->st_seen_internal_domain) {
> -		/* configured means sent by server or requested limitation by client */
> -		ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain1,
> -				"INTERNAL DOMAIN 1", &cp_pbs);
> -		ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain2,
> -				"INTERNAL DOMAIN 2", &cp_pbs);
> -	}
> -
>  	close_output_pbs(&cp_pbs);
>  
>  	return STF_OK;
> @@ -2985,16 +2949,18 @@ static stf_status ikev2_record_fragments(struct msg_digest *md,
>  static int ikev2_np_cp_or_sa(struct connection *const pc, int np, const lset_t
>  	   st_nat_traversal)
>  {
> +	int rnp = np;
> +
>  	if (pc->spd.this.modecfg_client) {
>  		if (pc->spd.this.cat) {
>  			if (LHAS(st_nat_traversal, NATED_HOST)) {
> -				return ISAKMP_NEXT_v2CP;
> +				rnp = ISAKMP_NEXT_v2CP;
>  			}
>  		} else {
> -			return ISAKMP_NEXT_v2CP;
> +			rnp = ISAKMP_NEXT_v2CP;
>  		}
>  	}
> -	return np;
> +	return rnp;
>  }
>  
>  static stf_status ikev2_parent_inR1outI2_tail(
> @@ -3238,7 +3204,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
>  	}
>  
>  	if (send_cp_r == ISAKMP_NEXT_v2CP) {
> -		stf_status cpstat = ikev2_send_cp(pst, ISAKMP_NEXT_v2SA,
> +		stf_status cpstat = ikev2_send_cp(pc, ISAKMP_NEXT_v2SA,
>  				&e_pbs_cipher);
>  
>  		if (cpstat != STF_OK)
> @@ -3322,7 +3288,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
>  		}
>  
>  		if (cc->send_no_esp_tfc) {
> -			if (!ship_v2N( (cc->internal_domain1 != NULL) ? ISAKMP_NEXT_v2CP : ISAKMP_NEXT_v2NONE,
> +			if (!ship_v2N(ISAKMP_NEXT_v2NONE,
>  					ISAKMP_PAYLOAD_NONCRITICAL,
>  					PROTO_v2_RESERVED,
>  					&empty_chunk,
> @@ -3330,14 +3296,6 @@ static stf_status ikev2_parent_inR1outI2_tail(
>  					&e_pbs_cipher))
>  				return STF_INTERNAL_ERROR;
>  		}
> -
> -
> -		/* send CP payload */
> -		if (cc->internal_domain1 != NULL) {
> -			ikev2_send_cp(pst, ISAKMP_NEXT_v2NONE, &e_pbs_cipher);
> -		}
> -
> -
>  	}
>  
>  	const unsigned int len = pbs_offset(&e_pbs_cipher);
> @@ -3601,14 +3559,6 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
>  		ikev2_decode_cr(md);
>  	}
>  
> -	/* process CP payloads */
> -	if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
> -		if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st))
> -		{
> -			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
> -		}
> -	}
> -
>  	/* process AUTH payload */
>  
>  	enum keyword_authby that_authby = st->st_connection->spd.that.authby;
> diff --git a/programs/pluto/state.h b/programs/pluto/state.h
> index ca8fcbbb5..0a6330feb 100644
> --- a/programs/pluto/state.h
> +++ b/programs/pluto/state.h
> @@ -569,7 +569,6 @@ struct state {
>  	bool st_seen_fragments;                 /* did we receive ike fragments from peer, if so use them in return as well */
>  	bool st_seen_no_tfc;			/* did we receive ESP_TFC_PADDING_NOT_SUPPORTED */
>  	bool st_seen_use_transport;		/* did we receive USE_TRANSPORT_MODE */
> -	bool st_seen_internal_domain;		/* did we receive CP IKEv2_INTERNAL_DNS_DOMAIN */
>  	generalName_t *st_requested_ca;		/* collected certificate requests */
>  	u_int8_t st_reply_xchg;
>  };
> diff --git a/programs/whack/whack.c b/programs/whack/whack.c
> index 8171527aa..a547af0b6 100644
> --- a/programs/whack/whack.c
> +++ b/programs/whack/whack.c
> @@ -123,8 +123,6 @@ static void help(void)
>  		"	[--addresspool <network range>] \\\n"
>  		"	[--modecfgdns1 <ip-address>] [--modecfgdns2 <ip-address>] \\\n"
>  		"	[--modecfgdomain <dns-domain>] \\\n"
> -		"	[--internaldomain1 <dns-domain>] \\\n"
> -		"	[--internaldomain2 <dns-domain>] \\\n"
>  		"	[--modecfgbanner <login banner>] \\\n"
>  		"	[--metric <metric>] \\\n"
>  		"	[--nflog-group <groupnum>] \\\n"
> @@ -375,8 +373,6 @@ enum option_enums {
>  
>  	CD_MODECFGDNS1,
>  	CD_MODECFGDNS2,
> -	CD_INTERNALDOMAIN1,
> -	CD_INTERNALDOMAIN2,
>  	CD_MODECFGDOMAIN,
>  	CD_MODECFGBANNER,
>  	CD_METRIC,
> @@ -642,8 +638,6 @@ static const struct option long_opts[] = {
>  	{ "addresspool", required_argument, NULL, END_ADDRESSPOOL + OO },
>  	{ "modecfgdns1", required_argument, NULL, CD_MODECFGDNS1 + OO },
>  	{ "modecfgdns2", required_argument, NULL, CD_MODECFGDNS2 + OO },
> -	{ "internaldomain1", required_argument, NULL, CD_INTERNALDOMAIN1 + OO },
> -	{ "internaldomain2", required_argument, NULL, CD_INTERNALDOMAIN2 + OO },
>  	{ "modecfgdomain", required_argument, NULL, CD_MODECFGDOMAIN + OO },
>  	{ "modecfgbanner", required_argument, NULL, CD_MODECFGBANNER + OO },
>  	{ "modeconfigserver", no_argument, NULL, END_MODECFGSERVER + OO },
> @@ -899,8 +893,6 @@ int main(int argc, char **argv)
>  	msg.xauthfail = XAUTHFAIL_HARD;
>  	msg.modecfg_domain = NULL;
>  	msg.modecfg_banner = NULL;
> -	msg.internal_domain1 = NULL;
> -	msg.internal_domain2 = NULL;
>  
>  	msg.nic_offload = nic_offload_auto;
>  	msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
> @@ -1887,16 +1879,6 @@ int main(int argc, char **argv)
>  				      &msg.modecfg_dns2), optarg);
>  			continue;
>  
> -		case CD_INTERNALDOMAIN1:	/* --internaldomain1 */
> -			msg.internal_domain1 = strdup(optarg);
> -			fprintf(stderr, "whack: --internaldomain1 %s", optarg);
> -			continue;
> -
> -		case CD_INTERNALDOMAIN2:	/* --internaldomain2 */
> -			fprintf(stderr, "whack: --internaldomain2 %s", optarg);
> -			msg.internal_domain2 = strdup(optarg);
> -			continue;
> -
>  		case CD_MODECFGDOMAIN:	/* --modecfgdomain */
>  			msg.modecfg_domain = strdup(optarg);
>  			continue;
> -- 
> 2.13.6
> 



More information about the Swan-dev mailing list